IPSEC behind NAT won't connect - "no shared key" error

mcarson75

I have just switched to a fiber connection.  The local side pfSense gets a fixed IP from the ISP but the public-facing IP changes every time the modem restarts (as seen through whatsmyip.org).  Remote side pfSense has a fixed IP.

Both sides have pfSense 2.3.2-RELEASE-p1

If I set up an IPSEC connection from the remote to the public-facing IP address it connects correctly and everything works as it should.  However, if I set the remote side to connect to the fixed IP instead it will not connect, with invalid key errors.

I have tried it with NAT traversal both set to "auto" and "fixed" and it makes no difference.

Settings are identical for both sides

IKE v1
Mutual PSK
Main
My identifier - fixed IP address (peer identifier set to this on remote)
Peer identifier - Peer IP address (set to "My IP address" on remote)
PSK = same on both
AES 256bit
SHA256
DH group 2
86400 seconds
Disable rekey unchecked
Responder only unchecked
NAT Traversal auto
DPD enabled
Delay 20
Max failures 5

Logs for both sides are below:

xxx.xxx.xxx.xxx = Fiber modem IP address (pfSense local WAN address behind NAT)
yyy.yyy.yyy.yyy = ISP public IP address (changes whenever modem resets)
zzz.zzz.zzz.zzz = Remote IP address (Remote pfSense WAN, no NAT)

Local side

Feb 6 17:51:02	charon		13[IKE] <con1000|191> initiating Main Mode IKE_SA con1000[191] to zzz.zzz.zzz.zzz
Feb 6 17:51:02	charon		13[ENC] <con1000|191> generating ID_PROT request 0 [ SA V V V V V ]
Feb 6 17:51:02	charon		13[NET] <con1000|191> sending packet: from xxx.xxx.xxx.xxx[500] to zzz.zzz.zzz.zzz[500] (184 bytes)
Feb 6 17:51:02	charon		11[NET] <con1000|191> received packet: from zzz.zzz.zzz.zzz[500] to xxx.xxx.xxx.xxx[500] (140 bytes)
Feb 6 17:51:02	charon		11[ENC] <con1000|191> parsed ID_PROT response 0 [ SA V V V ]
Feb 6 17:51:02	charon		11[IKE] <con1000|191> received XAuth vendor ID
Feb 6 17:51:02	charon		11[IKE] <con1000|191> received DPD vendor ID
Feb 6 17:51:02	charon		11[IKE] <con1000|191> received NAT-T (RFC 3947) vendor ID
Feb 6 17:51:02	charon		11[ENC] <con1000|191> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Feb 6 17:51:02	charon		11[NET] <con1000|191> sending packet: from xxx.xxx.xxx.xxx[500] to zzz.zzz.zzz.zzz[500] (268 bytes)
Feb 6 17:51:02	charon		10[NET] <con1000|191> received packet: from zzz.zzz.zzz.zzz[500] to xxx.xxx.xxx.xxx[500] (56 bytes)
Feb 6 17:51:02	charon		10[ENC] <con1000|191> parsed INFORMATIONAL_V1 request 3587200257 [ N(INVAL_KE) ]
Feb 6 17:51:02	charon		10[IKE] <con1000|191> received INVALID_KE_PAYLOAD error notify
Feb 6 17:51:03	charon		10[KNL] creating acquire job for policy xxx.xxx.xxx.xxx/32|/0 === zzz.zzz.zzz.zzz/32|/0 with reqid {1}

Remote side

Feb 6 12:06:56	charon		12[IKE] <8777> yyy.yyy.yyy.yyy is initiating a Main Mode IKE_SA
Feb 6 12:06:56	charon		12[ENC] <8777> generating ID_PROT response 0 [ SA V V V ]
Feb 6 12:06:56	charon		12[NET] <8777> sending packet: from zzz.zzz.zzz.zzz[500] to yyy.yyy.yyy.yyy[46880] (140 bytes)
Feb 6 12:06:57	charon		08[NET] <8777> received packet: from yyy.yyy.yyy.yyy[46880] to zzz.zzz.zzz.zzz[500] (268 bytes)
Feb 6 12:06:57	charon		08[ENC] <8777> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Feb 6 12:06:57	charon		08[IKE] <8777> remote host is behind NAT
Feb 6 12:06:57	charon		08[IKE] <8777> no shared key found for zzz.zzz.zzz.zzz - yyy.yyy.yyy.yyy
Feb 6 12:06:57	charon		08[ENC] <8777> generating INFORMATIONAL_V1 request 1497720683 [ N(INVAL_KE) ]
Feb 6 12:06:57	charon		08[NET] <8777> sending packet: from zzz.zzz.zzz.zzz[500] to yyy.yyy.yyy.yyy[46880] (56 bytes)
Feb 6 12:06:57	charon		16[NET] <8778> received packet: from yyy.yyy.yyy.yyy[46880] to zzz.zzz.zzz.zzz[500] (184 bytes)
Feb 6 12:06:57	charon		16[ENC] <8778> parsed ID_PROT request 0 [ SA V V V V V ]
Feb 6 12:06:57	charon		16[IKE] <8778> received XAuth vendor ID
Feb 6 12:06:57	charon		16[IKE] <8778> received DPD vendor ID
Feb 6 12:06:57	charon		16[IKE] <8778> received FRAGMENTATION vendor ID
Feb 6 12:06:57	charon		16[IKE] <8778> received NAT-T (RFC 3947) vendor ID
Feb 6 12:06:57	charon		16[IKE] <8778> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID</con1000|191></con1000|191></con1000|191></con1000|191></con1000|191></con1000|191></con1000|191></con1000|191></con1000|191></con1000|191></con1000|191></con1000|191></con1000|191>

jimp

If your "fixed" address is public then the ISP should not be changing that address. When you are behind NAT, as you appear to be, the far side has to build the tunnel to the public address it sees (especially in Main mode).

If your "fixed" address is private or in CGN space then it's useless as far as being "fixed" goes.

mcarson75

Yeah, unfortunately my ISP here in Nepal doesn't seem to understand what they have.  I tell them I need a fixed public IP and they keep telling me "You have a static IP!" but I know it is NATed to the outside world.  I have actually gotten IPSEC working decently well to the external IP by using dynamic DNS, but I still have other issues.  For instance my kids' xBox still has "Strict" NAT despite the fact that I have all the correct ports forwarded on my end, so they can't play Minecraft online.  I'll just have to keep talking to the ISP until I find someone that understands the problem.

Thanks,
-Matt